CVE-2025-0133 |
Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 5.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: RUGGEDCOM APE1808
Vulnerability: Cross-site Scripting
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to execute malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
Siemens RUGGEDCOM APE1808: All versions with Palo Alto Networks Virtual NGFW with an enabled GlobalProtect gateway or portal
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect gateway and portal features of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft-particularly if you enabled Clientless VPN.
CVE-2025-01...
CVSS: MEDIUM (5.1) EPSS Score: 0.1%
June 12th, 2025 (7 days ago)
|
CVE-2025-2745 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 4.5
ATTENTION: Exploitable remotely
Vendor: AVEVA
Equipment: PI Web API
Vulnerability: Cross-site Scripting
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to disable content security policy protections.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of AVEVA PI Web API are affected:
PI Web API: Versions 2023 SP1 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
A cross-site scripting vulnerability exists in PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker (with privileges to create/update annotations or upload media files) to persist arbitrary JavaScript code that will be executed by users who were socially engineered to disable content security policy protections while rendering annotation attachments from within a web browser.
CVE-2025-2745 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-2745. A base score of 4.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United Kingdom
3....
CVSS: MEDIUM (6.5) EPSS Score: 0.03%
June 12th, 2025 (7 days ago)
|
CVE-2025-49200 |
Description: The created backup files are unencrypted, making the application vulnerable for gathering sensitive information by downloading and decompressing the backup files.
CVSS: MEDIUM (6.5) EPSS Score: 0.04%
June 12th, 2025 (7 days ago)
|
CVE-2025-49197 |
Description: The application uses a weak password hash function, allowing an attacker to crack the weak password hash to gain access to an FTP user account.
CVSS: MEDIUM (6.5) EPSS Score: 0.02%
June 12th, 2025 (7 days ago)
|
CVE-2025-49196 |
Description: A service supports the use of a deprecated and unsafe TLS version. This could be exploited to expose sensitive information, modify data in unexpected ways or spoof identities of other users or devices, affecting the confidentiality and integrity of the device.
CVSS: MEDIUM (6.5) EPSS Score: 0.02%
June 12th, 2025 (7 days ago)
|
CVE-2025-49195 |
Description: The FTP server’s login mechanism does not restrict authentication attempts, allowing an attacker to brute-force user passwords and potentially compromising the FTP server.
CVSS: MEDIUM (5.3) EPSS Score: 0.07% SSVC Exploitation: none
June 12th, 2025 (7 days ago)
|
CVE-2025-49193 |
Description: The application fails to implement several security headers. These headers help increase the overall security level of the web application by e.g., preventing the application to be displayed in an iFrame (Clickjacking attacks) or not executing injected malicious JavaScript code (XSS attacks).
CVSS: MEDIUM (4.2) EPSS Score: 0.07% SSVC Exploitation: none
June 12th, 2025 (7 days ago)
|
CVE-2025-49192 |
Description: The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives. This could potentially reveal confidential information or allow others to take control of their computer while clicking on seemingly innocuous objects.
CVSS: MEDIUM (4.3) EPSS Score: 0.04% SSVC Exploitation: none
June 12th, 2025 (7 days ago)
|
CVE-2025-49191 |
Description: Linked URLs during the creation of iFrame widgets and dashboards are vulnerable to code execution. The URLs get embedded as iFrame widgets, making it possible to attack other users that access the dashboard by including malicious code. The attack is only possible if the attacker is authorized to create new dashboards or iFrame widgets.
CVSS: MEDIUM (4.8) EPSS Score: 0.03% SSVC Exploitation: none
June 12th, 2025 (7 days ago)
|
CVE-2025-49190 |
Description: The application is vulnerable to Server-Side Request Forgery (SSRF). An endpoint can be used to send server internal requests to other ports.
CVSS: MEDIUM (4.3) EPSS Score: 0.03%
June 12th, 2025 (7 days ago)
|